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Windowed Watchdog 

Fault Coverage in sen: 



By Donald W. Corson 

All developers of embedded microprocessor 
systems know standard watchdog timers. 
They form part of the first line defense 
against malfunctioning processors, be it because of 
system instability, external disturbances or through 
real-life situations bringing the system in untested 
states. These watchdog circuits are ubiquitous 
either as standalone chips or internal to the micro- 
controllers themselves. In systems where human 
safety is involved, even higher standards of relia- 
bility are required. 

For these cases the external windowed watch- 
dog timer is indicated. These applications include 
automotive applications like anti-lock brakes and 
steering systems, medical instruments like insulin 
pumps, robots, industrial control and automatic 
doors, nuclear power plant controls and avionics. 
These systems must be able to recover from a crash 
without human assistance, pressing a r 
for example, as any human i 
probably be too late to avoid injury. 

While microprocessors are highly flexible 
problem solution tools , their functional reliability is 
iwered by the probability of code errors in the 
igram. Defensive progr ammin g techniques such 
^Jling unused ROM with HALT or illegal 
inactions to trap illegal jumps in code space will 
aid in program debugging. They can also give a 
small handle for gracious recovery when deployed, 
but even with the most careful and complete test- 
ing not all errors will be found, 100% coverage can 
never be assured. 

Ideally, a watchdog-monitored system is able 
to restart itself back into a working state and the 
user will not even know that an error has occurred. 
To achieve this level of comfort, the system must 
be conceived and the software programmed, to be 



able to accept a reset at any time and to resume nor- 
mal operation without any operator intervention. 

Many rnicrocontroDers offer an internal pro- 
grammable watchdog with similar functionality. 
These watchdogs can, however, all be disabled by 
the software and do not provide the same protection 
for safety critical applications as an independent 
external watchdog timer circuit. Therefore, it is high- 
ly recommended to use an external watchdog and 
reset circuit in critical applications. 



Operation of Windowed 
Watchdog Timers 

Standard watchdog timers (WDT) 
are incrementing counters that set 
their output if their maximum value 
is reached. The microcontroller 
must reset the counter before that 
happens by creating an edge on the 
timer clear input. If the program 
execution is faulty because of a pro- 
gram error or external disturbance 
causing the program execution to be 
slower, the maximum value will be 
reached and the output set active. 
This will catch problems such as 
hanging because of endless loops. It 
will not, however, trigger for such 
errors as routines returning before 
normal completion, which will 
cause the program execution to be 



For highest security, a win- 
dowed watchdog timer (WWDT) 
demands that the timer clear input 
edge be within a certain timing win- 
dow that is considered correct. If the 
signal arrives before or after mis 





No two circuit breaker 
applications are alike 

Only E-T-A offers 
more technologies 

The fact is that more technologies allow for 
superior, more precise circuit protection. It is 
critical that your design is protected with the 
correct circuit protection. Your reputation 
3 on it. 



Every application is different and requires a 
specific circuit protection solution. Only E-T-A 
provides the complete range of available 
circuit protection technologies. 
One call to E-T-A will ensure your design 
has the right circuit protection technology to 
enhance your products safety, reliability and 
brand reputation. 



timing window it triggers the output si 
reset the processor or activate other e 
This type of watchdog will effectively c 
the case of a program executing too slowly and ti 
case of a program executing to quickly. Another 
observed cause of error is crystals jumping to spu- 
rious modes because of external shocks. Although 
in this case the crystal will probably return to its 
proper frequency after a short time, the processor 
may be in danger of improper p 




during this time. The windowed watchdog can 
catch this behavior. 

To understand the real difference of thinking 
between a standard WDT and a WWDT, consider 
of the following: a standard watchdog timer 
assumes that everything is OK in the system unless 
it receives no signal from the system. A WWDT on 
the other hand assumes that there is a problem in 
the system, unless it receives a signal at the right 
time. Viewed this way, it is easy to see how the 
WWDT increases the coverage of system errors 
recognized. 

The watchdog timing is broken into two peri- 




f: Allowed^Windoif 

^ Jhedrorbidi 

low is during the time up "to 80% ot 7, v n 
The watchdog timeout is atiy/p + 20^ p - Please 
see Figure 1. If no /TCL has been received until the 
end of the allowed window the watchdog will 
immediately produce a reset pulse. Both a falling 
flank on /TCL during the forbidden window and a 
timeout after TyyTj+20% will cause a reset to be 
asserted and the enable to be removed. It should be 
noted that the timing for the next period starts 
immediately from the falling flank of /TCL. 

The Important Difference 

To understand the benefits of using a WWDT over 
a standard WDT for high reliability applications 
refer to Figure 2. 

In this diagram we can see the following: At 
(1) a correct /TCL input during the allowed win- 
dow. At (2) and (3) the /TCL signal is shown arriv- 
ing too early, during the forbidden window. This 
results in the /RES output being asserted immedi- 
ately by the windowed watchdog timer. A standard 
watchdog would not notice this malfunction. It is 
just at (4) where no /TCL signal arrives before the 
end of the watchdog timeout that a standard watch- 
dog would react by asserting /RES, as does the 
windowed watchdog too. It can be seen that in each 
case the watchdog timing is counted from the 
falling flank of the last /TCL input. 

Many WWDT chips also offer an increased 
confidence enable output /EN. The increased con- 
fidence enable output /EN can be used to gate 
motor signals, for instance, to immediately stop the 
motor movement when the processor behavior can 
not be trusted and only allow it again when there is 
confidence that the processor is running properly. 
This signal is only asserted after three good /TCL 
flanks have been seen and is removed simultane- 
ously with the /RES output assertion in case of a 
detected malfunction of the processor. 

WWDT circuits generally also include all the 
features of a standard voltage supervisory circuit 
and are available in versions with and without an 
accurate protected 5V low-dropout voltage regula- 
tor. These circuits are particularly indicated for 
decentralized systems such as in automotive and 
industrial automation applications as they can 
monitor the security and provide the power supply 
regulation in one component. 

Distributed systems in general are another 
application where windowed watchdogs are a 
powerful help in maintaining confidence in the 




In all situations 



ods. The time when the /TCL falling flank signals 
an error is called the 'forbidden window' . The time 
when the /TCL input falling flank resets the timer, 
is accepted, is called the 'allowed window'. In 
some documentation the allowed window is called 
the 'open window' and the forbidden window is 
called the 'closed window' . After the allowed win- 
dow the windowed watchdog times out causing the 



total system. In systems where a master provides 
timing or synchronization messages to the slave 
processors a standard watchdog can detect a miss- 
ing or failing slow master. A windowed watchdog 
s the error coverage to failing fast or mul- 
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(Continued from pi 

■ success of chc design. The routing of the decoupling capacitors' to : 
the supply and ground traces or planes must be clean and short. 
Circuitous paths increase the. circuit inductance and possibly 
increase the cross coupling between inputs and outputs. Clean sep- 
aration between logic supply and the power portion of the circuitry 
is especially important in circuits controlling electrical motors with 
the -large spikes that they, will produce on the power supply lines. 



Conclusion 

Including an internal voltage regulator and complete power supply supervi- 
sion, a windowed watchdog such as the EM Microelectronics H.M6250 and' 
EM6 152, provides greatly improved error case coverage coinpared to a stan- 
dard watchdog and lends itself admirably for applications requiring stringent 
security surveillance in today's distributed intelligence automotive: and ; 
industrial systems. 

Just a short list of automotive" application areas cou ld include: 

• window motor control 

• sunroof motor control 

• dashboard computer systems 
ar steering sensors 

• trunk closure systems 

• cruise control- 



ion control 

•motor control 

. Watchdog components that can recognize being placed in. sleep mode 
and adapt their behavior to reduce system power consumption without loos- 
ing .security are also available on the market. These are ideal for ultra-low 
power applications using sleep mode, such as those using CAN-Bus commu- 
nication, where functional units can be disabled under software control. 

■ For safety critical applications such as medicine delivery devices,: mec 
ical monitoring systems, robots and automatic. doors and windows, where v~ 
er they may be installed, a windowed watchdog timer is die component of 
choice- to be sure to fulfill the demands of regulating bodies in terms of 
human safety. 
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Raychem GDT's help protect 
telecom equipment. 




Raychem 

CIRCUIT PROTECTION 



When lightning st'kes and voltage 
spites, sens:tive telecom equipment remains 
safe if it's protected by Gas Discharge Tubes 



Protection 
cuit pi 



(GDTs! from Raychem Circuit 
New additions to our extensive c 
ton family, GDTs are the ides 
devices for telecom equi| 
protection modules. They can , 
industrial, commercial, consume 
motive electronics. 

GDTs act as a low capacitance compo- 
nent, with very low signal distortion. When 
age spikes, the GDT switches to a low 



impedance state and diverts the energy 
away from the sensitive equipment. Fast 
and accurate break-over voltage makes the 
Raychem GDTs a perfect fit foe applications 





rn more about Raychem GDTs, 
us at 800-227-7040 or 650-361-6900, 





PLANAR BGA REED RELAY 

Coto Technology has introduced the B41, a four 
independent channel, form-A, planar BGA reed 
relay. No slot or hole in the PC board is required 
to mount the device — a feature which simpli- 
fies the design of multi-layer boards. Coto's 
technology also allows for shorter RF paths in a 
controlled 50 ohm environment to minimis e sig- 
nal attenuation. Each channel has an RF inser- 
tion loss (-3dB roll-off point) of >8 GHz. 
cotorelay.com Circle CE 315 




TRANSFORMERS WITHSTAND 
SHORT CIRCUIT 

Foster Transformer introduces the Survivor 
Class 2 transformer with short circuit and over- 
load protection capable o4 withstanding a direct 
short circuit in excess of 15 days. All Survivor 
transformers including the 75 VA and 100 VA 
models are classified as inherently limited. This 
eliminates the need for external protection or the 
problematic internal fusing. It also extends the 
range of class 2 transformers allowing them to 
be used in intermittent duty applications that 
would cause the some fuses or circuit breakers to 
open. 





i8GHzRF SWITCH 
BOOSTS FREQUENCY 



0S-I313 is a P2T, failsafe RF switch from 
It boasts a frequency range of 
with a maximum insertion loss of 



